Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Intermediate · modules
Modules tagged Intermediate. Use the sidebar to narrow by track or topic.
Console vs API Visibility Gap
AWS console shows curated views. Some resources only visible via API. Some metadata not in console. Attackers operate via API. They see what console hides. Defender visibility gap. The mindset: audit via Config Rules / Cloud Asset Inventory, not console clicks. The console is for humans; the API is for completeness.
Reading Topology Like an Attacker
Defenders read topology as “what we built.” Attackers read it as “what paths exist.” Every line is a path. Every box is a target. The questions an attacker asks: shortest path from any DMZ host to any DC? what asset has the largest blast radius? where do trust boundaries live and where are they soft? […]
Account Boundaries Are Negotiable
“Account boundaries protect us.” They do — until you create cross-account roles. Or federate identity. Or assume a role for a SaaS vendor. Each is a hole in the boundary. Each requires explicit authorisation. Most enterprises grant; few audit. The mindset: account boundary = sum of cross-account access. Inventory + audit quarterly.
Authentication vs Authorization Split
Authentication: who are you. Authorization: what can you do. Most security education conflates them. Most bugs live in the gap. An authenticated user is not authorized for everything they ask. Authorization is per-resource, per-action, often per-attribute. IDOR exists because authn is correct but authz is missing. The mindset: at every endpoint, two questions: “is this […]
Browser Origin Boundaries
Same-Origin Policy is the bedrock of web security. But “origin” has nuances: scheme matters, port matters, path doesn’t. Subdomains aren’t same-origin (they’re same-site, different concept). CORS is opt-in cross-origin. It carries credentials only with explicit allow. Access-Control-Allow-Origin: * with credentials is invalid. Many implementations get this wrong. postMessage crosses origins by design. Receiver must validate […]
State Machines Have More Edges Than You Think
Every web app is a state machine. Order = pending → paid → shipped → delivered. State transitions have rules. The rules have gaps. Attackers enumerate edges adversarially: can I go from pending to delivered, skipping paid? Can I cancel after shipped? Can I trigger paid → paid (double payment processing)? The mindset: draw the […]
The Three Types of Web Sessions
“Session” is overloaded: browser session (open tabs), server session (data keyed by session ID), application session (the user’s logical workflow). Each has different lifetime; each has different invalidation rules. The bug pattern: developer thinks “user logged out, session ended.” Browser session ended. Server session may persist. JWT may still be valid. OAuth refresh token still […]
Why HTTP Headers Are Programmable Trust
Application code routinely trusts HTTP headers. X-Forwarded-For for client IP. Host for routing. Origin for CORS. Each is attacker-controllable in some path. If your code does if (request.headers["X-Admin-Override"] == "true"), you’ve created a backdoor. If your code trusts X-Forwarded-For without validating the immediate peer, you’ve created an IP-spoofing primitive. The mindset: each header your code […]
CDN as Attack Surface
CDN was once a passive cache. Now: edge functions, header rewriting, cache key manipulation, custom routing. Each is a new attack surface. Cache poisoning, cache deception, edge-function privilege escalation, header injection between CDN and origin — all bug classes that didn’t exist when CDN was just static-asset cache. The mindset: list every CDN feature you […]
Why Validation at Multiple Layers
Defence in depth is a phrase. Multi-layer validation is its application. Client-side validation catches user mistakes. Edge validation (WAF) catches bulk attacks. Server-side validation enforces business rules. Database constraints catch the rest. Each catches what the others miss. Skip a layer = bypass that layer’s coverage entirely. The mistake: assuming “the WAF catches it” or […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.